TL:DW version: a hacker (or group of hackers) managed to become a trusted maintainer of xz project, and used that to build a backdoor into SSH protocols. They almost managed to make it into...
TL:DW version: a hacker (or group of hackers) managed to become a trusted maintainer of xz project, and used that to build a backdoor into SSH protocols. They almost managed to make it into several distros - for a short bit, their backdoor was in Fedora and Debian. Someone by accident noticed how debian SSH calls were taking longer than usual, and reported it to debian, which then they sounded the alarm to everyone else.
Yeah, I remember this, almost two years ago I was (would have?) been vulnerable, as LZMA is my favorite compressor, I tend to get much smaller archives with it than others. And all my hosts are...
Yeah, I remember this, almost two years ago
I was (would have?) been vulnerable, as LZMA is my favorite compressor, I tend to get much smaller archives with it than others. And all my hosts are Debian. Makes you wonder what commonly used software out there may be affected in the same ways that have not been discovered yet.
TL:DW version: a hacker (or group of hackers) managed to become a trusted maintainer of xz project, and used that to build a backdoor into SSH protocols. They almost managed to make it into several distros - for a short bit, their backdoor was in Fedora and Debian. Someone by accident noticed how debian SSH calls were taking longer than usual, and reported it to debian, which then they sounded the alarm to everyone else.
Original discussion on Tildes:
https://tildes.net/~comp/1fa5/backdoor_in_upstream_libxz_targeting_sshd
Yeah, I remember this, almost two years ago
I was (would have?) been vulnerable, as LZMA is my favorite compressor, I tend to get much smaller archives with it than others. And all my hosts are Debian. Makes you wonder what commonly used software out there may be affected in the same ways that have not been discovered yet.